Spatie Browsershot Improper Input Validation Leading to Local File Inclusion Vulnerability

A vulnerability exists in the Spatie Browsershot package, specifically in versions prior to 5.0.5, due to improper input validation in the setUrl method. This flaw allows attackers to bypass URL validation, particularly for file URIs, leading to local file inclusion. Exploitation of this vulnerability enables the reading of sensitive files from the server where Browsershot is hosted.

Impact

Successful exploitation allows attackers to read any file accessible by the server hosting Browsershot, including sensitive information such as API keys and source code.

Reproduction

To reproduce this vulnerability, use a version of Spatie Browsershot prior to 5.0.5. The vulnerability can be triggered by sending a file URL to the setUrl method, either through a web request or by directly calling the method in a PHP script. The URL can be crafted to bypass the validation by omitting slashes or using URL encoding, such as replacing the newline character with its encoded equivalent. Once the URL is set, Browsershot can be instructed to save the output to a file, which will then contain the contents of the requested file from the server.

Remediation

Upgrade Spatie Browsershot to version 5.0.5 or higher.